SSO with ASWebAuthenticationSession/WKWebView fails with scope issue

Question

I have an implementation of the SSO on iOS 13 in Swift 5:

let callbackURLScheme  = "myb://auth"
authSession = ASWebAuthenticationSession(url: url, callbackURLScheme: callbackURLScheme, completionHandler: { (callbackURL: URL?, error: Error? ) in
    guard error == nil, let successURL = callbackURL else {
        print(error!)
        return
    }

    print(successURL.absoluteString)

    let queryItems = URLComponents(string: successURL.absoluteString)?.queryItems
    let token = queryItems?.filter({ $0.name == "token" }).first?.value

    print(token)
})

if #available(iOS 13.0, *) {
    authSession?.presentationContextProvider = self
    authSession?.prefersEphemeralWebBrowserSession = false
} else {
    // Fallback on earlier versions
}

authSession?.start()

Also tried to do the same in WKWebView and embedded Safari Controller and results are the same: After sign-in and all redirects it ends up with "Access Token does not have required scopes".

If I use the same SSO URL with a regular mobile Safari browser it ends up with valid session token.

I'm wondering why it is different and how to make it work in the app?

Answer 1

One thing I've seen mentioned is to not use a callback URL with a slash /. Try making your callbackURLScheme myb:auth instead. Also, you didn't show surrounding code but did you keep a reference to your authSession? If you don't have an instance var to store it, it will fall out of scope and be deallocated.

final class AuthManager: NSObject {
    var authSession: ASWebAuthenticationSession?

    private func startAuthentication() {
        self.authSession = ASWebAuthenticationSession(...)
    }
}